kritis-validation-hook is a key component for verifying image signatures to guarantee that only trusted containers are deployed. You can use signature verification to ensure that only images signed by trusted authorities are deployed, which lowers the risks of malicious code attacks. This topic describes how kritis-validation-hook works with step-by-step examples.

Background information

Based on the open-source project kritis, kritis-validation-hook is integrated with Container Registry (ACR) to support signature verification of images that are signed by using Key Management Service (KMS). kritis-validation-hook works with Security Center, KMS, and ACR to implement a fully automated signature signing and verification process, helping you build a more secure software supply chain.


The following example demonstrates how kritis-validation-hook works by enabling image signature verification for the default namespace.
Note This example skips the steps of image signing because it is not included in the scope of kritis-validation-hook. The signature information used in this example is as follows:
  • The address of the image signed by using KMS is
  • The KMS public key is stored in file publickey.txt.
  • The KMS key ID is 4a2ef103-5aa3-4220-89ee-kms-key-id.
  • The Container Registry namespace that corresponds to the default namespace is 13579-namespace.
  1. Run the following code to create an AttestationAuthority object as a trusted authority.
    The following code configures the preceding KMS public key information:
    $ cat <<EOF > AttestationAuthority.yaml
    kind: AttestationAuthority
      name: 13579-namespace
      noteReference: namespaces/13579-namespace
      publicKeyData: $(cat publickey.txt | base64 | tr -d '\n')
      publicKeyId: 4a2ef103-5aa3-4220-89ee-kms-key-id
    $ kubectl apply -f AttestationAuthority.yaml
  2. Run the following code to create a GenericAttestationPolicy object to declare the attestation policy and which trusted authority is used to verify signatures.
    $ cat <<EOF > GenericAttestationPolicy.yaml
    kind: GenericAttestationPolicy
      name: demo-gap
      - 13579-namespace
    $ kubectl apply -f GenericAttestationPolicy.yaml
  3. Run the following commands to test the signature verification function and verify that images not signed by the trusted authority are not deployed.
    $ kubectl create deployment test-denied --image=alpine:3.11
    Error from server: admission webhook "" denied the request: image alpine:3.11 is not attested
    $ kubectl create deployment test-denied
    Error from server: admission webhook "" denied the request: image is not attested
  4. Run the following command to test the signature verification function and verify that the image signed by the trusted authority has been deployed.
    $ kubectl create deployment test-allow
    deployment.apps/test-allow created

Next up

kritis-validation-hook will work with other Alibaba Cloud services to provide features including, but not limited to, the following ones:
  • Immutable image tags. With immutable tags, you do not need to specify the image digest during signature verification. This helps improve user experience.
  • Image vulnerability detection. This feature prevents you from deploying images that are exposed to vulnerabilities of certain severity levels, which further lowers security risks.